In 2005, Dick Hardt stood at a conference podium and argued that you should control your own identity online. Not your bank. Not Yahoo. Not the website you just registered on. You. The proposal was technically specific: a portable credential, user-held, with minimal attribute disclosure. The phrase was user-centric identity.
That proposal did not win commercially. What won was centralized login, third-party tracking, and a data economy that assembles a detailed record of you — your browsing habits, your inferred health conditions, your purchase history, your political signals — without your active participation and largely without your knowledge.
The legal system’s answer to that outcome is still being written. One of the most powerful tools in that answer is the Data Subject Access Request: the right, enforceable under GDPR Article 15, to see exactly what data an organization holds on you, where it came from, who it has been shared with, and why they think they are allowed to keep it.
This is user-centric identity — translated from a protocol into a legal right. It does not give you the portable credential that OpenID was trying to build. But it gives you something the original vision never had: a right to demand a full accounting, backed by regulatory enforcement.
What Is a Data Subject Access Request?
A Data Subject Access Request (DSAR) is a formal request to an organization — a company, a government body, any data controller — asking them to disclose all personal data they hold about you. The right derives from GDPR Article 15 (for EU/EEA residents) and from equivalent national laws in the UK (UK GDPR), Brazil (LGPD), California (CCPA), and other jurisdictions.
Under GDPR Article 15, you are entitled to receive confirmation of whether the controller processes your personal data, and if so, access to that data. This is not a limited disclosure. It covers every record tied to your identity: account data, behavioral logs, inferred attributes, communication history, advertising profiles, scoring models, and derived data that the organization generated from your activity. If they hold it and it relates to you, it is in scope.
The right applies regardless of how the data was collected. Data the organization received from you directly (a form you filled in), data collected by observation (your clicks, your device fingerprint), and data purchased or received from third parties are all covered. The record that assembles your identity on their servers does not have to originate from you to be disclosable to you.
What Data You Can Request
GDPR Article 15(1) lists the specific information you are entitled to receive. In practice, a complete DSAR response should cover:
| Category | What the controller must disclose |
|---|---|
| The personal data itself | A copy of every data point tied to your identity — account fields, behavioral logs, purchase history, communications, inferred attributes, scores or categories assigned to you |
| Purposes of processing | Why they process your data and under which legal basis (consent, legitimate interest, contract, legal obligation, etc.) |
| Categories of data | What types of personal data they hold (identifying, financial, health-related, behavioral, etc.) |
| Recipients or categories of recipients | Who they have shared or disclosed your data to — third-party processors, advertising networks, analytics providers, data brokers |
| Retention periods | How long they intend to keep each category of data, or the criteria used to determine retention |
| Source of the data | Where data not collected directly from you came from — a purchased list, a social media platform, a data enrichment provider |
| Automated decision-making | Whether you are subject to any automated processing (credit scoring, behavioral targeting, content filtering) and meaningful information about the logic involved |
| Cross-border transfers | Whether your data is transferred to countries outside the EU/EEA, and the safeguards in place for those transfers |
The last item — automated decision-making — is one of the most revealing in practice. Under Article 15(1)(h), you are entitled to meaningful information about the logic involved in any automated decisions, along with the significance and envisaged consequences of such processing. This applies most clearly to credit and insurance scoring models. It can also reach ad-targeting systems that sort you into audience segments, but only where the processing produces legal or similarly significant effects, the threshold Article 22 sets for solely automated decisions.
The One-Month Timeline
Under GDPR Article 12(3), a controller must respond to a data subject access request within one calendar month of receipt. The clock starts when they receive the request, not when they process it or verify your identity.
There is a limited extension available: if the request is “complex or numerous,” the controller may extend by a further two months, for a maximum of three months total. If they use this extension, they must inform you of the extension within the first month, before the original deadline passes, and explain why the extension is necessary.
- Standard deadline: 1 calendar month from receipt
- Maximum extension: 2 additional months (total: 3 months), with notification required before the original deadline
- Response format: Electronic, if the request was made electronically, unless you request otherwise
- Cost: Free for the first request; reasonable fee or refusal permitted for manifestly unfounded or excessive repeat requests
- Identity verification: The controller may ask for verification of your identity. They may not demand excessive documentation — proportionate confirmation only.
If a controller fails to respond within the timeline, or refuses a request without a lawful basis, you can complain to the supervisory authority in your EU member state. In Germany, that is the relevant Landesbeauftragter für den Datenschutz; in the UK, the ICO; at the EU level, the EDPB coordinates across jurisdictions.
How to File a DSAR
A DSAR does not require a specific form, legal language, or a lawyer. You can send it as a plain email. What it needs to be is clear: you are making a data subject access request under GDPR Article 15, you want a copy of all personal data they hold about you, and you want the supplementary information required by Article 15(1).
The elements that should always appear in your request:
- A clear statement that this is a data subject access request under GDPR Article 15 (or UK GDPR Article 15, depending on jurisdiction)
- Enough identifying information to allow the controller to find your records — your email address, account number, or any other identifier they would associate with you
- A request for a copy of all personal data, plus the supplementary Article 15(1) information (purposes, recipients, retention periods, sources, transfer safeguards, automated decision-making)
- Your preferred response format and delivery method
- The date of the request (starts the clock)
Send it to the organization’s designated data protection contact, usually their Data Protection Officer (DPO) if they have one, or their general legal or privacy contact if not. Most larger organizations publish a privacy or DPO email address in their privacy policy. If you need a structured letter with the correct legal language, the DSAR letter generator on this site produces one formatted to the standard — input your details, download the letter, send it.
How Companies Must Respond
A complete DSAR response is not a privacy policy. It is not a general description of data practices. It is the actual data — your specific records — plus the specific answers to each Article 15(1) question as they apply to your individual data.
In practice, responses vary in quality. Well-resourced organizations with established privacy programs typically have a DSAR portal or process that delivers a structured response. Smaller organizations frequently misunderstand the scope — they provide only what you submitted directly to them and omit behavioral logs, inferred data, and third-party sources.
What a response must contain:
- A copy of the personal data in a commonly used electronic format (usually CSV, PDF, or JSON export)
- A description of the purposes and legal bases for each category of processing
- A list of recipients or recipient categories — not just “our service providers” but specifically who has received the data
- The retention period or the criteria for determining it
- For data not collected directly from you: the source
- For automated decisions that significantly affect you: meaningful information about the logic
If a controller refuses to fulfill a request — claiming it is manifestly unfounded, excessive, or that a specific exemption applies — they must tell you why, in writing, and inform you of your right to complain to a supervisory authority and seek judicial remedy. Silence or a form response that does not address your actual request is not a valid response.
What DSARs Reveal About the Identity Record
The practical value of filing a DSAR is that it turns an abstract question — what do they know about me? — into a concrete document. What most people discover, when they actually go through a DSAR response from a large platform or data broker, is that the identity record is far more detailed than expected.
Common findings include inferred attributes that were never stated (interest categories, life stage segments, purchasing power brackets), behavioral logs going back months or years, advertising IDs that connect activity across devices, and third-party data sources that the person had no direct relationship with. The connection between how online identity became a privacy problem and the content of a DSAR response is not metaphorical — it is literal. The record assembled about you through tracking infrastructure is what you are requesting access to.
There is also a useful side effect: filing a DSAR often prompts organizations to review what they actually hold and how long they have held it, which sometimes results in voluntary deletion or data minimization. Knowing that a subject can inspect the record creates different retention incentives than knowing that the record is invisible.
DSAR vs. Erasure: Which Right to Use
A data subject access request (Article 15) is about seeing the record. It is a different right from the right to erasure (Article 17, the “right to be forgotten”). These are often confused.
Access first, then erasure is the more effective sequence. Without seeing the record — what data exists, what legal basis the controller claims for processing it, which third parties have received it — an erasure request is partially blind. If the controller’s retention is based on a legal obligation or a legitimate interest that overrides your rights, erasure will be refused; knowing that in advance helps you frame the subsequent argument or complaint correctly.
The right to data portability (Article 20) is a third related right: not just to see the data, but to receive it in a structured, machine-readable format that you can transfer to another controller. This is the closest current law comes to the portable credential concept that the user-centric web was trying to design in 2006 — your data, in your hands, usable elsewhere. Article 20 applies only to data you provided directly and that is processed by automated means, so it is narrower than Article 15, but it is the functional implementation of the portability principle.
Who Has a DSAR Right and Where
GDPR Article 15 applies to data subjects in the European Union and EEA. UK GDPR, post-Brexit, contains equivalent provisions with the same one-month timeline and scope. Brazil’s LGPD (Lei Geral de Proteção de Dados, Articles 18 and 19) includes access rights covering the same categories. California’s CCPA (Section 1798.110) gives consumers access rights that are broadly similar in scope, though the timeline differs: 45 days for initial response, with a 45-day extension available.
For the growing number of jurisdictions with comprehensive data protection laws — India (DPDP Act), Canada (PIPEDA and provincial equivalents), Australia (Privacy Act), Japan (APPI) — access rights exist but vary in scope and enforcement. The GDPR framework is the most detailed and most enforced, which is why most international organizations calibrate their DSAR processes to GDPR requirements.
The User-Centric Identity Vision, Delivered Through Law
The early user-centric identity arguments — that you should be able to see what claims are made about you, that data disclosure should be minimal and purposeful, that you should have some mechanism for correcting or removing erroneous records — are structurally present in GDPR Article 15. They arrived through a different mechanism than the protocol designers envisioned. Rather than being built into the login layer by technical design, they were mandated at the regulatory layer after the fact.
This is a slower and more contested path than protocol design would have been. Enforcement is uneven. Many organizations respond to DSARs incompletely. The data broker ecosystem, which is the most problematic part of the identity record problem, is regulated but not yet systematically controlled. The user-controlled identity era that OpenID was meant to inaugurate did not arrive as a technical infrastructure. It arrived, partially, as a legal entitlement.
That is worth knowing. The right exists. It is enforceable. Using it is how you find out what the record actually says.
Frequently Asked Questions
Can a company charge me for a DSAR?
For the first request in a given period, no. GDPR requires controllers to provide access free of charge. If you make requests that are “manifestly unfounded or excessive” — particularly repetitive requests — the controller may charge a reasonable administrative fee or refuse to act. They must justify this decision in writing.
What if a company ignores my DSAR?
A failure to respond within the one-month deadline (or three months if an extension was lawfully claimed) is a violation of GDPR Article 12(3). You can file a complaint with the supervisory authority in your EU member state. You can also seek judicial remedy directly in your national courts. Supervisory authorities can investigate and impose fines under GDPR Article 83.
Do I need to say GDPR Article 15 explicitly?
You do not need legal citations to make the request, but including “GDPR Article 15” clarifies the legal basis and signals that you know your rights, which tends to produce more complete responses. It also sets the correct legal timeline from the moment of receipt.
Can I make a DSAR to a data broker I have never signed up with?
Yes. The right applies to any controller processing your personal data, regardless of how they obtained it. If a data broker holds a profile on you assembled from third-party sources, they are processing your personal data and you are entitled to access. The challenge is identifying which brokers hold your data — the DSAR letter generator includes guidance on common broker categories.